1#	$OpenBSD: agent.sh,v 1.21 2023/03/01 09:29:32 dtucker Exp $
2#	Placed in the Public Domain.
3
4tid="simple agent test"
5
6SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
7if [ $? -ne 2 ]; then
8	fail "ssh-add -l did not fail with exit code 2"
9fi
10
11trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
12eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` >`ssh_logfile ssh-agent`
13r=$?
14if [ $r -ne 0 ]; then
15	fatal "could not start ssh-agent: exit code $r"
16fi
17
18eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null
19r=$?
20if [ $r -ne 0 ]; then
21	fatal "could not start second ssh-agent: exit code $r"
22fi
23
24${SSHADD} -l > /dev/null 2>&1
25if [ $? -ne 1 ]; then
26	fail "ssh-add -l did not fail with exit code 1"
27fi
28
29rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub
30${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \
31	|| fatal "ssh-keygen failed"
32
33trace "overwrite authorized keys"
34printf '' > $OBJ/authorized_keys_$USER
35
36for t in ${SSH_KEYTYPES}; do
37	# generate user key for agent
38	rm -f $OBJ/$t-agent $OBJ/$t-agent.pub*
39	${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
40		 fatal "ssh-keygen for $t-agent failed"
41	# Make a certificate for each too.
42	${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \
43		-n estragon $OBJ/$t-agent.pub || fatal "ca sign failed"
44
45	# add to authorized keys
46	cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
47	# add private key to agent
48	${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
49	if [ $? -ne 0 ]; then
50		fail "ssh-add failed exit code $?"
51	fi
52	# add private key to second agent
53	SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
54	if [ $? -ne 0 ]; then
55		fail "ssh-add failed exit code $?"
56	fi
57	# Move private key to ensure that we aren't accidentally using it.
58	# Keep the corresponding public keys/certs around for later use.
59	mv -f $OBJ/$t-agent $OBJ/$t-agent-private
60	cp -f $OBJ/$t-agent.pub $OBJ/$t-agent-private.pub
61	cp -f $OBJ/$t-agent-cert.pub $OBJ/$t-agent-private-cert.pub
62done
63
64# Remove explicit identity directives from ssh_proxy
65mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
66grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy
67
68${SSHADD} -l > /dev/null 2>&1
69r=$?
70if [ $r -ne 0 ]; then
71	fail "ssh-add -l failed: exit code $r"
72fi
73# the same for full pubkey output
74${SSHADD} -L > /dev/null 2>&1
75r=$?
76if [ $r -ne 0 ]; then
77	fail "ssh-add -L failed: exit code $r"
78fi
79
80trace "simple connect via agent"
81${SSH} -F $OBJ/ssh_proxy somehost exit 52
82r=$?
83if [ $r -ne 52 ]; then
84	fail "ssh connect with failed (exit code $r)"
85fi
86
87for t in ${SSH_KEYTYPES}; do
88	trace "connect via agent using $t key"
89	if [ "$t" = "ssh-dss" ]; then
90		echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/ssh_proxy
91		echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/sshd_proxy
92	fi
93	${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
94		somehost exit 52
95	r=$?
96	if [ $r -ne 52 ]; then
97		fail "ssh connect with failed (exit code $r)"
98	fi
99done
100
101trace "agent forwarding"
102${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
103r=$?
104if [ $r -ne 0 ]; then
105	fail "ssh-add -l via agent fwd failed (exit code $r)"
106fi
107${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
108r=$?
109if [ $r -ne 0 ]; then
110	fail "ssh-add -l via agent path fwd failed (exit code $r)"
111fi
112${SSH} -A -F $OBJ/ssh_proxy somehost \
113	"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
114r=$?
115if [ $r -ne 52 ]; then
116	fail "agent fwd failed (exit code $r)"
117fi
118
119trace "agent forwarding different agent"
120${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
121r=$?
122if [ $r -ne 0 ]; then
123	fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)"
124fi
125${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
126r=$?
127if [ $r -ne 0 ]; then
128	fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)"
129fi
130
131# Remove keys from forwarded agent, ssh-add on remote machine should now fail.
132SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1
133r=$?
134if [ $r -ne 0 ]; then
135	fail "ssh-add -D failed: exit code $r"
136fi
137${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
138r=$?
139if [ $r -ne 1 ]; then
140	fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)"
141fi
142
143(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \
144	> $OBJ/authorized_keys_$USER
145for t in ${SSH_KEYTYPES}; do
146    if [ "$t" != "ssh-dss" ]; then
147	trace "connect via agent using $t key"
148	${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \
149		-oCertificateFile=$OBJ/$t-agent-cert.pub \
150		-oIdentitiesOnly=yes somehost exit 52
151	r=$?
152	if [ $r -ne 52 ]; then
153		fail "ssh connect with failed (exit code $r)"
154	fi
155    fi
156done
157
158## Deletion tests.
159
160trace "delete all agent keys"
161${SSHADD} -D > /dev/null 2>&1
162r=$?
163if [ $r -ne 0 ]; then
164	fail "ssh-add -D failed: exit code $r"
165fi
166# make sure they're gone
167${SSHADD} -l > /dev/null 2>&1
168r=$?
169if [ $r -ne 1 ]; then
170	fail "ssh-add -l returned unexpected exit code: $r"
171fi
172trace "readd keys"
173# re-add keys/certs to agent
174for t in ${SSH_KEYTYPES}; do
175	${SSHADD} $OBJ/$t-agent-private >/dev/null 2>&1 || \
176		fail "ssh-add failed exit code $?"
177done
178# make sure they are there
179${SSHADD} -l > /dev/null 2>&1
180r=$?
181if [ $r -ne 0 ]; then
182	fail "ssh-add -l failed: exit code $r"
183fi
184
185check_key_absent() {
186	${SSHADD} -L | grep "^$1 " >/dev/null
187	if [ $? -eq 0 ]; then
188		fail "$1 key unexpectedly present"
189	fi
190}
191check_key_present() {
192	${SSHADD} -L | grep "^$1 " >/dev/null
193	if [ $? -ne 0 ]; then
194		fail "$1 key missing from agent"
195	fi
196}
197
198# delete the ed25519 key
199trace "delete single key by file"
200${SSHADD} -qdk $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
201check_key_absent ssh-ed25519
202check_key_present ssh-ed25519-cert-v01@openssh.com
203# Put key/cert back.
204${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
205	fail "ssh-add failed exit code $?"
206check_key_present ssh-ed25519
207# Delete both key and certificate.
208trace "delete key/cert by file"
209${SSHADD} -qd $OBJ/ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
210check_key_absent ssh-ed25519
211check_key_absent ssh-ed25519-cert-v01@openssh.com
212# Put key/cert back.
213${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
214	fail "ssh-add failed exit code $?"
215check_key_present ssh-ed25519
216# Delete certificate via stdin
217${SSHADD} -qd - < $OBJ/ssh-ed25519-agent-cert.pub || fail "ssh-add -d - failed"
218check_key_present ssh-ed25519
219check_key_absent ssh-ed25519-cert-v01@openssh.com
220# Delete key via stdin
221${SSHADD} -qd - < $OBJ/ssh-ed25519-agent.pub || fail "ssh-add -d - failed"
222check_key_absent ssh-ed25519
223check_key_absent ssh-ed25519-cert-v01@openssh.com
224
225trace "kill agent"
226${SSHAGENT} -k > /dev/null
227SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null
228